Overview

overview

10

Static

static

10

cheat.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    147s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/03/2025, 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cheat.exe

  • Size

    197KB

  • MD5

    6b60d478dc59ba2d30610d57d36a929b

  • SHA1

    0b9240afd4338b4ec6608ea1a2ad4624fe02b1d8

  • SHA256

    e6a07c0c643535a9b65fb286f4fafce14fafef0b830557e2d67f91f06ae2bbbc

  • SHA512

    15967a5595bd8a2d413628a4d4d35f5bf60c3b4529c0d17216d43620918c386de1893e621985e8b04a508353e675f23b857c7fea11fe12aa247f0812626c2d4e

  • SSDEEP

    3072:od9kkHFE9jM/Oju8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLns:oFE9wUhcX7elbKTuq9bfF/H9d9n

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

ohsorry-20836.portmap.host:20836

Mutex

BV3jFFIYrb13VXbT

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4704
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:572
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:4840
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2180

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\dd240bcf-0454-46ce-9b22-4cbfecc6341a.down_data
      Filesize

      555KB

      MD5

      5683c0028832cae4ef93ca39c8ac5029

      SHA1

      248755e4e1db552e0b6f8651b04ca6d1b31a86fb

      SHA256

      855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

      SHA512

      aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      25KB

      MD5

      5417b341b1d2d5c87bbaf74821ff593f

      SHA1

      acafa0fde967d4b2ada5f1c72d77b00e8a3e75dc

      SHA256

      9733014a1bf6a19dec391c542adffdca2102fb4ebf92c7086ff7ea92b3b00fe5

      SHA512

      6c6948c81f5804d7a2b5db9c4c1a12f9d81ed74173baf3ea3f685a36b531b19ed47d0ce2f391b42b6182eefae204ccc97bc63c611c4b375fc3350174da4700fa

      Download Submit

    • memory/4704-0-0x00007FF9CF4D3000-0x00007FF9CF4D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4704-1-0x0000000000D60000-0x0000000000D96000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4704-2-0x00007FF9CF4D0000-0x00007FF9CFF92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4704-3-0x00007FF9CF4D3000-0x00007FF9CF4D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4704-4-0x00007FF9CF4D0000-0x00007FF9CFF92000-memory.dmp

      Filesize

      10.8MB

      Download